The United States and a coalition of its allies, including the EU, Britain and NATO, have formally accused China and its authorities of a large-scale hacking campaign to break into Microsoft Exchange servers. Let me remind you that these attacks have been going on since the beginning of 2021 and are targeted tens of thousands of companies and organizations around the world.China is reported to have used Microsoft’s “zero-day Exchange Server vulnerabilities disclosed in early March 2021 for cyber espionage operations.”
In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers gave the general name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).
These vulnerabilities can be linked together and exploited allowing an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.
Already in March, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.
The UK also added that China’s Ministry of State Security is behind “government hacker groups” such as APT40 and APT31.
The Department of Justice, NSA, CISA and the FBI have already released technical guidance on breaks detection and activity of Chinese hack groups targeting networks of the United States and its allies. Also, American law enforcement officers have published indicators of compromise APT40, so that companies can detect the presence of hackers on their networks.
It is worth noting that almost simultaneously with the accusations against China, the US Department of Justice announced the initiation of a criminal case against four Chinese citizens who are allegedly members of the aforementioned hacker group APT40.
Chinese representatives have already reacted to the accusations against them. Thus, the spokesman for the Foreign Ministry of the country Zhao Lijian said at a press conference that it is the United States that is “the largest source of cyber-attacks in the world”; attacks Chinese aerospace, scientific and research institutions, the oil industry, government agencies and Internet companies for the past 11 years (this was the conclusion of researchers from the Chinese company Qihoo 360 last year); listening to the conversations of both their competitors and allies; and pressure NATO and other allies to create a military alliance in cyberspace that “could provoke a [race] of cyber weapons and undermine international peace and security.”